OpenVPN Access Server can be configured in a site-to-site bridging setup that allows you to transparently bridge two sites together using a OpenVPN gateway client.
In order to do so, some requirements must be met. These requirements are detailed below.
The diagram above depicts a typical site-to-site layer 2 bridging setup. In order to complete this setup, all of the following requirements must be met:
In order to start the bridging process, you must first have Access Server generate an autologin profile. To do so, visit the User Permissions area, create an appropriate username for the bridging OpenVPN client, and then check the Allow Auto-login checkbox. Click the Update Running Server button to make sure the changes take effect.
Now, login to the Client Web Server (CWS) and select the Login dropdown, when prompted.
Download the autologin profile that is offered to you in the CWS.
Using a SFTP client such as Filezilla or Cyberduck, upload the ovpn profile, and the two bridging scripts you have downloaded, onto the Linux OpenVPN client machine. Upload these to the /etc/openvpn/ folder.
NOTE: If you have a ESXi host capable of running 64-bit operating systems, you can save yourself some time by deploying a preconfigured Debian OpenVPN Client here. You will not need to download the bridging scripts if you are using the preconfigured ESXi OpenVPN client.
Login to your Linux OpenVPN Client via SSH. Once logged on:
1) Rename the OpenVPN profile into a .conf extension by issuing the following commands:
mv client.ovpn client.conf
2) Make sure the bridge-utilities are installed on the system by invoking the brctl command. The command should display the usage help page when it is properly installed. If you get a command not found error, you will need to make sure you have the bridge utilities installed for your Linux distribution.
For Debian/Ubuntu distributions, this can be installed by using the apt-get install bridge-utils command.
3) Determine which interface is your private interface you want to bridge. Theoretically speaking, this should be the interface that is isolated to the clients and not already have an IP address assigned to it. If you are uncertain, use the ifconfig -a command and verify the interface name using its MAC address. Make sure you do not mistakenly note the interface you use to connect to the Internet, or else you WILL lose connectivity! Note this interface name down for the next step.
4) Using a text editor such as nano, edit the bridge-up.sh file (In the ESXi OpenVPN Client appliance, this file is located in /sbin/). Under the define physical ethernet interface section, change eth=”eth1″ to the interface name to the one you have determined in the previous step. For example, if you determined that the private interface is called eth2, change eth1 to eth2. Also, change the IP address and subnet mask to a static IP you want to assign to the bridge (this IP address and subnet should be one that is located on the remote site you are trying to bridge). Save the file and exit the text editor.
5) Using a text editor such as nano, edit the autologin profile you have downloaded from the CWS. On the top of the file, add these following lines to the profile:
up “/bin/bash /etc/openvpn/bridge-up.sh”
down “/bin/bash /etc/openvpn/bridge-down.sh”
NOTE: For the ESXi OpenVPN Client, use the /sbin/bridge-up.sh and /sbin/bridge-down.sh paths instead of /etc/openvpn/bridge-up.sh and /etc/openvpn/bridge-down.sh paths.
Save the file, and then exit the text editor.
6) Start the OpenVPN profile by restarting the OpenVPN Service, using the /etc/init.d/openvpn restart command.
7) Verify that the connection is active by issuing a ifconfig br0 command. If the bridging is successful, the br0 interface should be configured with the IP address you have set earlier in the bridge-up.sh configuration file. At this point, your bridged site clients should be able to obtain an IP address via DHCP or by manual configuration.